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(54) Secure printing 

(57) In a distributed computing environment, a user 
is able to send a document to a secure printer (140) in 
such a way that only a specified intended recipient can 
print the document. 

When the user specifies that the document is to be 
printed securely, a special print job is created in which 
the document is encrypted using a session key and a 
bulk encryption algorithm, and the session key is 
encrypted using the intended recipient's public key 
Then, the encrypted session key. the encrypted docu- 
ment and an indication of the intended recipient's iden- 
tity is transmitted to a print server (130). where the print 
job is held. 

When the recipient's smart card (145) is inserted 
into a smart card reader of the secure printer (140). the 
recipient's identity, taken from the smart card (145). is 
transmitted to the print server (130). The print server 
uses the identity to search for and retrieve documents 
intended for the recipient. If the recipient is the intended 
recipient, the encrypted document and encrypted ses- 
sion key are transmitted to the secure printer (140). The 
secure printer (140) then forward the encrypted session 
key to the smart card (145). which decrypts the session 
key using an embedded private key Then secure printer 
(140) receives and uses the session key to deaypt the 
encrypted document and, finally, prints the document 
fa the recipient. 
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Description , 

Technical Field 

[0001 ] The present i nvention relates to hardcopy pro- 
duction of documents and particular!/ but not exclu- 
sively, to document printing 

Background Art 

[0002] . It is^ well known to generate or design a docu- 
ment using a computer-based text editing or graphics 
package, for example Microsoft^" Word or Microsoft^" 
PowerPoint respectively. Onqe generated, a document 
can, be printed. : Typically the package or a print driver 
formats, the document into a printer jfile that can be 
received and interpreted by a printer. Example, printer 

, file formats are PCL or PostScript. Printer files can be 
sent directly by the package to a printer tc be printed, or 
can be stored lor printing at a later time. . . 
[0003] . This principle typically applies to all types of 

) printer, for exannple. laser printers, ink jet/printers. 
impact: printers and thermal printers, and in general to 
cthsr hardcopy devices such, as plotters or facsimile 
rnaehines- Conveniently, herein, the term "printer" cov- 
ers all-such different types of printer, or other hardcopy 

. or document rendering apparatus and devices.. 
[00O4]/ Also, for the sake of convenience of description 
herein, the term "document" will hereafter be used to 
, denote a document Jn any state, including (but not lim- 
ited to) when viewed on a computer display, when for- 
matted as a printer file readyior printing,. and when in 

. hardcopy form. The state the document is in at any point 
in the description depends on the context. Also, a "doc- 
ument" may include text, gre^phics or mixed representa- 
tions. f ^ , 

, [0005]; The advent of distributed computer systems 
made it possible for a single 'network* printer to be used 
by multiple users. Typically network printere^ are 
attached to. computing platforms operating as print sea'- 
ers within distrtouted systems. Alternatively, some print- 
ers, given appropriate interfaces, can be arranged to 
connect directly to the network of a distributed system. 
[0.006] . Network printers, whether connected directly 
or via a print server, to a network, can pro\id3 a sub- 
stantial cost advantage, since each user need not have 
. his own printer connected to, or located near to,, his own 
computers/stem. ; . . 

[0007]; The ability to access network printers, and 
other devices, from a local conputer, is readily sup- 
ported by.operating systems-such as Unix, or Micro- 
soft's^" Windows^" NT. which are designed to be 
configured to manage distributed operations such as 
remote printing or data management. 
[0008] One problem with printing documents on 
remote network printers, is that any person near to the 
printer could remove or read printed documents con- 
taining sensitive, information, which do not belong to 



them, before the intended recipients are able to retrieve 
the documents. One way around this is for users who 
need to print sensitive documents to arrange for a 
trusted person to stand by the printer while the docu- 

5 ment is printing and collect the document as soon as it 
has printed. This, of course, is inconvenient. 
[0009] Another way to increase security is to print sen- 
sitive documents only on a local printer. The latter case, 
however, undermines any cost advantages gained in 

10 having a centrally located, network printer, especially if 
many users need to print sensitive documents. 
[0010] Another problem associated with remote print- 
ing of sensitive documents is that a malicious party 
could intercept or nx>nitor the transfer of data between 

15 the local conputer and network printer. For example, 
anyone with access to a print spooler or print server 
receiving the document for printing could access the 
document. This would be highly undesirable and, again, 
could be overcome by using a local printer attached 

20 directly to the originating computer instead. 

■ Disclosure of the Invention 

[0011] Aspects of the present invention aim to 
25 increase the securrty of remote printing. 

[0012] According to a first aspect the present inven- 
tion provides a method of printing a document in a dis- 
tributed computer system comprising a client, a print 
server, printing apparatus and a network for intercon- 
30 \ necting components of the distributed computer sys- 
. tern, the method comprising the steps of: 

a sender selecting a document to be printed, identi- 
fying an intended recipient for the document and 
35 causing the client to transmit to the print server the 
document acconrtpanied by a first kientifier for the 
intended recipient; 

receiving and storing the document and the associ- 
ated first identifier on the print server; 

40 a recipient providing the printing apparatus with a 
second identifier, the printing apparatus receiving 
the second identifier and transmitting to the print 
server a request, including the second identifier, to 
receive documents from the print server; 

45 the print server receiving the request, comparing 
the second identrfiec with the stored first identifier 
and, for matching identifiers, forwarding the docu- 
ment associated with the first identifier to the print- 
ing apparatus; and 

50 the printing apparatus receiving and printing the 
document. 

[0013] Advantageously a document is only printed 
. when the intended recipient interacts with the printing 
55 apparatus in order to retrieve and print the previously- 
submitted document. In fact, the intended recipient may 
be the same person as the sender. 
[001 4] In a preferred embodiment, in order to increase 
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security even further the client encrypts the document 
prior to transmitting it to the print server and the printing 
apparatus decrypts the encrypted document prior to 
printing it. 

[001 5] Thus, even if a document were intercepted dur- 
ing transfer between the client and the printing appara- 
tus, say, it would be a non-trivial task for the intercepting 
party to decrypt the document 
[001 6] Preferably, the printing apparatus interacts with 
a smart card in order to retrieve and/or decrypt the doc- 
ument 'using information and/or hjnctionallty pro- 
grammed into a smart card provided by the recipient. 
The smart card may contain the second identifier and 
may be programmed to assist with document deayp- 
tion. 

[0017] According to a second aspect, the present 
invention provides printing- apparatus arranged for 
receiving and printing documents, connprising: 

an interface for connecting the printer to a print 
server; 

an input/output means for interacting with a user 
and receiving an identity from the user; 
processing means for' generating a request>for a 
document, the request including the identity of the 
usee, transmitting the request to the print server and 
receiving a document from the print server: arid 
means for printing the document for the user.: 

[0018] .' Further aspects; features and embodiments of 
the present invention will become apparent to the skilled 
addressee from the following detailed description and 

clainns- . 

Brief Dgg gri p tipn pf the Drawings 

[001 9] Embodiments of the present invention will now 
be described, by way of example only, with reference to 
the accompanying drawings, of which: 

Figure 1 is a diagram which illustrates a distributed 
computing environment which supports secure 
printing in accordance with an embodiment of the 
present invention; 

Figure 2 is a block diagram of an architecture for a 
printer according to the present embodiment; 
Figure 3 is a fbw diagram which illustrates the 
steps involved in a user submitting a document for 
secure printing; and 

Figure 4. is a flow diagram which illustrates the 
steps involved in a secure printer retrieving and 
printing a print job. 

Best Mode For Carrying Out the Invention. & Industrial 
Applicability 

[0020] In Figure 1 , a local connputer 100. for example 
an Intel Pentium based computer operating under Win- 



dows NT 4.0, includes the standard components of a 
keyboard, a display and a mouse (none of which are 
shown). The local computer 100 is attached, to a net- 
work 1 10, for example a network supporting the TCP/IP 
5 protocol. The local- computer 100 provides a secure 
printer process, or client, which is a software routine 
that can be initiated by a user when secure printing is 
required. The process, and all other processes in this 
embodiment, can be written in any general purpose pro- 
70 gramming language, such as C**. 

[0021 ] Also connected to the network 11 0 are a direc- 
tory server 1 20, a document store A 30. a secure printer 
' 140 and billing engine 150. * " 
•[0022] ^The directory server 120 is a prc)cess running 
15 • on a computer, which has access to a database 125 of 
' user^specific information, known as user-profiles. The 
directory server 120 is arranged to receive from 
* i requesting processes requests for specific informati n 
> for particular users.' and returns the specific iriformation 
20 to the requesting process..when€ver possible. The com- 
i .' puter runnirig tiie directory server 120 couki be a Unix 
: .7. or Windows NT platform connected to the network 100 
via an appropriate interface. The directory server 1 20 in 
the present - embodirtient is a sihfiple database,' which 
25 . receives enquiries and returns relevant data', but it couki 
; : . be based on purpose-built directory services such as 
Noveirs NDS or- Microsoft's Active Directory.ln accord- 

- ance with the present embodiment, the directory server 
^ 120 is configured to receive d request including a user 

30 'identity and return at least a public encryption key asso- 
dated'with tfie identified user. Communications with the 
directory server 120 may be witii a network protocol 
such as tiie Lightweight Directory Access Protocol 
' (LDAP). ' 
35i - [0023] The document store 130 is a process running 
on a computer which receives and stores encrypted 
? document files and associated user kientities. The doc- 
>:ument store 130 also receives requests to f onward to 
specified locations encrypted document files having a 
40 specified identity. Again; the computer running the 

- direfctory server 120 could be a Unix or Windows NT 
platform connected to the network 1 00 via an appropri- 
ate interface. - 

■ [0024] In practice, the document store 130 can be a 

45 ' modified print spooler or print server process, which has 
access to a large amount of data storage, for example 
provided by a disk drive 135. The spooler or serv r is 
modified in the respect that it is arranged^ to recognise 
encrypted documents and, rather than forwarding tiiem 

so to a specific printer, hold or store the encrypted docu- 
ments. The spooler or server is also modified to receive 
requests from printers for specific encrypted docu- 
ments, search for the specified encrypted documents 
and ti-ansfer the encrypted documents to therequesting 

55 printer. 

[0025] It should be noted that tiie document store 1 30 
in the present embodiment is an untnjsted part of ttie 
distributed system, in that the documentvstore 130 is 
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configured : to return, docurhents to any . requesting 
printer, or, other device using an appropriate protocol. 
The present .embodimerrt' relies on the security of the 
strong encryption, applied to the document to protect the 
information in the document. 

[0026] In other embodiments, where security is even 
more important, ft is envisaged that the document store 
130 would further incorporate authentication functional- 
ity.: which would allow the document store to authenti- 
cate either the requesting printer or smart card user. 
Authentication systems using, for example, digital sig- 
natures are well kr>3wn and will not be considered 
herein in any more detail. 

[0027]^ The architecture of the printer 140 according to 
the present embodiment is illustrated in more detail in 
Figure 2. Figure 2 illustrates a central processing unit 
(CPU) 200 that controls.a print engine 210, which is a 
standard part of any printer that enacts printing, and the 
details thereof are beyond the scope of the . present 
description. A read only memory. (ROM) 220 is con- 
nected to the CPU 200 by an appropriate system bus 
205. The ROM 220 contains the instructions that form 
the control program for the printer. Also connected to 
the system bus 205 is non-volatile memory (NV-RAM) 
230 and main memory (DRAM): 240, The NV-RAM 230 
can be EEPROM or Flash RAM for receiving and stor- 
ing: services downloaded into the pririter; The DRAM 
240; is used by thepr inter as buffer memory, for jeceiv- 
ing jobs to be printed,; and is also used by the CPU 200 
in the present embodiment as workspace for decryption 
and session key storage; All the features of the printer 
140 described so far are standard on may generally 
available printers. The diagram also illustrates the 
standard printer features of a network interface 250, 
various sensors 260. for example 'paper out'i and a front 
panel display and keypad 270. all connected to the CPU 
via the system bus 205. Finally, a smart card reader 280 
is provided, also .connected to the system bus 205, 
although it could alternatively be connected via the 
printer's 'RS232 port, where one Is available. Thus, the 
only significant, non-standard hardware feature of the 
pr inter .is the smart card reader 280. The other, differ- 
ences depend on software or firmware processing. 
[0028] , Smart card readers are generally available and 
confon-n to accepted stardards. The smart card reader 
used in the present embodiment supports the ISO 7816 
standard (levels 1 to 4), and some extra functionality not 
covered by the ISO standard, which is described herein. 
Corresponding smart cards are also readily available, 
and are programmable to operate as described herein. 
[0029] In practice, the smart card reader can be incor- 
porated into the casing of a standard printer. Thus, In 
this case, the only significant, noticeable difference 
about the printer is a slot 1 43 in the casing into which a 
smart card 145 can be inserted and retrieved. 
[0030] Printers which generally have the features illus- 
trated in Figure 2 are a Hewlett-Packard LaserJet 5 or a 
. Hewlett-Packard LaserJet 4000. In either printer, the 



printer's conventional control program can be modified 
as described herein, by either replacing the printer's 
firmware. In ROM 220, or by creating a 'service', which 
can be downloaded Into the printer's flash memory, NV- 

5 RAM 230, from the network. 

[0031] Details on how to modify control programs In 
Hewlett-Packard and others' printers are beyond the 
scope of the present description, but are readily availa- 
ble from Hewlett-Packard (Company or from the respec- 

10 tlve other printer manufacturers. 

[0032] The foregoing description describes a printer 
with an integral smart card reader, wherein the printer 
itself Is programmed with functionality to retrieve and 
process encrypted documents. In an alternative embod- 

15 iment, printing apparatus may be provided comprising a 
- general purpose printer and an external smart card 
reader unit connected to the printer via a serial port. 
The smart card unit Is also provided with a network 
irrterface, for connecting the unit to a network, and an 

20 appropriately programmed processor and memory to 
" enable the conrblnatlpn of the general purpose printer 
. and the smart card re^ader unit to operate as printing 
apparatus according to the present invention. In effect, 
the smart card reader unit Is designed to Interact with 

2& the recipient, who Inserts his smart card, Interact with 
.the document store 130 to retrieve and decrypt the ses- 
sion key and the encrypted document, and fonward the 
document to the printer to be printed. 
ji0033] Clearly, this embodiment does provide a weak 

30 , link In the security of the overall system, by passing the 
unencrypted document over the comnujnications link 
between , the smart card reader unit and the printer. 
However, It is believed that the associated risks are min- 
imised when the printer and smart card reader unit are 

35 co-located. 

[0034] Such an arrangement may be preferable where 
a Ixisiness wishes to utilise the Invention in a cost effec- 
tive way using existing; printing equipment. It is also 
envisaged that the functionality in the printer and the 

40 smart card reader unit necessary to inplement the 
invention may be partitioned In other ways, depending 
on the circumstances. 

[0035] The billing system 1 50 Is a process running on 
a computer which electronically bills users of the secure 

45 printing system. There are three main areas where 
users could be billed, which are for: submission of an 
encrypted document to the document store 130. stor- 
age by the document store 130 of a document for a 
specified time; and transmission and successful printing 

50 Of the document. Other acts, such as using the directory 
server 120, could potentially also be billed. The sender 
or the recipient, or both, could be billed for any or each 
of thesjB acts: For example, the sender could be billed 
for the submission, and the recipient could be billed for 

55 the storage and printing of the document. Of course, the 
sender and the recipient might be the same person, or 
different, people from the same organisation, in which 
case a single person or organisation respectively would 
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be billed for everything. Further, the ownier of the docu- 
ment store and the owner of the printer might be differ- 
ent independent service providers. For example, in the 
case where the printer is in a public place, and is for use 
by the public, then the printer's owner would want finan- 
cial reward for providing the service. Therefore, it would 
be necessary for a printer to identify itself in enough 
detail that the billing system 150 could allocate billed 
funds to the printer's owner. 

[0036] For every act." it is necessary to identify the 
party to be billed and the party to be paid. Electronic 
identfficaitlori and authentication for the purposes of 
electronic billinig are well known in the field of electronic 
commerce, and will not therefore be discussed in any 
more detail herein; 

[0037] The operation of the local computer 100 in sub- 
mitting a secure print job will now be described with ref- 
'erence to the flow diagram in Figure 3. 
[0038] In step 300 of Figure 3. the local computer's 
operator (not shown)', in other words the document's 
sender, has a document, for example a word-processed 
document, to be submitted for printing. The'sender initi- 
ates the secure printing process for the secure printing 
of the document, in step 305. The secure pririting proc- 
ess; in step 310, generates a graphical user inteilace, 
which requires the sender to enter the docunrJent details 
and the identity of the intended recipient. Of course, the 
intended recipient might be the sender himselif; The 
sender enters the required' details in step 315. Having 
received a valid Tnput from the sender, the process," in 
step 320, continues by transmitting a request including 
the details input by the sender to the directory- server 
120. In response, the directory server 120 returns to the 
secure printing process the public key for the intended 
recipient, in step 325. ' 
[0039] Next in step 330, the secure printer process 
formats the document into a page description language, 
such as PostScript or PCL, which is interpretatrie by a 
printer. Obviously the language will depend on the type 
of printer or other hardcopy apparatus to be used. The 
secure printer process then, in step 335, applies bulk 
encryption to the formatted document while retaining its 
integrity This can be achieved using a message digest 
function such as the Secure Hash Algorithm (SHA-1) 
and a symmetric block or stream cipher, for instance. 
Data Encryption Standard (DES). The cipher uses a 
random number generated by the secure printer proc- 
ess to enact the encryption. The random number consti- 
tutes a session key This step is a symmetric encryption 
step, which relies on a recipient having access to the 
session key to decrypt the document. 
[0040] Alternative message digest algbrithn^, such as 
MD5. symmetric ciphers such as CAST or' IDEA, and 
asymmetric algorithms such as the Elliptic Curve EIGa- 
mal encryption scheme can be used instead of the algo- 
rithms specified earlier. 

[0041] In step 340, the secure printer process then 
applies an asymmetric encryption algorithm, such as 



• RSA. to the session key. using the intended recipient's 
retrieved pubfic key Thus, after this step, only someone 
v/ho has knowledge of the private key associated with 
the public key can decrypt the session key and hence 

5 then decrypt the document. 

[0042] In some embodiments, where the whole proce- 
dure is enacted within the bounds of a relatively -trusted 
or stecure environment, it might be felt unnecessary to 
use the encryption stages. In such: cases, for example 

10 where the messages are never transmitted outside of a 
single building, it might-be sufficient to arrange that a 
document is only printed when a recipient is available at 
the printer - 

• [0043] - In step 345; the secure printirig process for- 
T5' wards acrosi the network 110, to the document store 

130, a~rhessage comprising the encrypts document, 
an ' 'envelope* for the document (which contains the 
-encrypted session key), and the respective identity of 

- -the ihterided recipient. ' ' - 

•20 ^ [0044] ' Finally in step 350. the document- store 130 
' receives the message land stores it appropriately to 
• 'harci disk 135. : - 

c : - ^[0045] The process of securely printing^ a document 
"retrieved from ^the' document store 130 will now be 
25 'described with reference to the flow diagram in Figure 4. 

[0046] ^ In step 400 of Rgure 4. the intended recipient 
' ' of the document, which has been stored by the docu- 
■'--"^ meht store 130 as described already, inserts his smart 

* - cafd into the sftiaft card reader 280 of the secure printer 
30 ' i T40.' The ^mart card includesihe recipient's identity and 

- the recipient's private key Although not illustrated in the 
■ "flow diagrarh, it would be typical at this stage for the 

• printer 140 to request entry by the recipient of a per- 
' ' ' *^ sonki identification number, to verify that the recipient is 
35 the genuine owner of the smart card, and not someone 

- who has found, or even stolen, it. 

' [0047] The smart card reader 280 reads the smart 
card, in step 405. and extracts the klentity therefrom. 
• Then, in step 410, the smart card reader 280 fonwards 

40 the identity to the printer's CPU 200. The CPU 200 
receivies the identity in step 41 5 and generates a mes- 
' sage including the identity, in step 420. which it fbnwards 
to the document store 130 in step 425. 
[0048] In step 430, the document store 130 receives 

45 the message arid, in step 435. searches the hard disk 
135 for any documents having the same identity. In the 
present embodiment, the document store 130 will find 
ione document: However, in general, there may be none, 
or any number of documents having a matching identity 

50 Stored on the hard disk 1 35. At this stage, the document 
store 1 30 and printer 1 40 may be arranged to interact to 
provide status information to the recipient,- displayed on 
a front panel display 270 of the printer, for exanrple 
showing the number of documents awaiting printing, or 

55 that there are no documents waiting. Additionally the 
recipient may even be given a choice of which (of sev- 
eral) documents he would like to retrieve. 
[0049] Next, in step 440. the document -store 130 
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returns to, the printer 1 40 only the envelope for the doc- 
ument haying, the matching Identity. In principle, the 
document could be sent at this stage as well, although 
whether or not this is done depends on the size of the 
document and the amount of available printer buffer 
memory It is believed preferable at present to retrieve 
bnly the envelope, unless the printer 140 has a signifi- 
cant amount of RAM 240 Into which the whole docu- 
ment could be received. 

[0050] In step 445, the printer receives the envelope 
and, in step 450, fonA/ards the encrypted session key to 
the smart card reader 280. The smart card reader 280 
transfers the encrypted session key to the smart card, 
and the smart card, in turn, decrypts the session key, in 
step 455, using the private key stored therein. The 
smart card:0utputs the decrypted session key, in step 
460, and the smart card reader. 280 forwards the ses- 
sion key to the CPU 200. in step 465. 
. 10051] This technique for retrieving the session key is 
extremely advantageous,, since the private key never 
needs to leave the smart card, and thus remains secret 
even from the printer. 

[0052] The printer .1 40 fonwards a message to the doc- 
ument store 130, in step 470, for the document store to 
transmit the encrypted document to the printer 140. In 
step 475, the docurrient store 130 receives- the mes- 
sage and. in step 480. transmits the document to the 
printer 140. In step 485, the printer 140 receives the 
.document and, in step 490, deciphers it back into page 
description language using the session key 
[0053] Finally in step 495, the printer prints the docu- 
- nrient for the intended recipient. 
[0054] It is envisaged that, alternatively, the smart 
card itself might be programmed to enact the decryption 
of the document. This, of course, is design decision. 
[0055] It will be appreciated that the network 110 
could be a local area network, a wide area network or 
even glotal area network. For example, for the case of 
a global area networK the local computer 100 could be 
situated in an office in London and, the printer could be 
located in an airport in Tokyo or New York. Similarly, the 
directory server 120 and the document store 130 could 
be located anywhere in the world. 
[0056] In some embodiments, for responsiveness pur- 
poses, it may be desirable to .have mirror doaiment 
stores (not shown) - similar to Internet mirror sites - 
where. the data in one store Is copied by the store to 
. other, geographically distant document stores. Thus, for 
example, there may be a London-based data server, 
and Tokyo ard New York-based data servers. On 
receiving, a document, the London data server would 
copy the document to both the Tokyo and New York data 
servers so that the recipient could retrieve and print the 
document from the data server nearest the printer being 
used. Obviously the data mirroring could be tuned if it is 
k.nown where the recipient is most likely to be when he 
wishes Jo print the document. For example, if the recipi- 
ent were likely to be in New York, but might instead be in 



London, then a document submitted, in London would 
only be mirrored to the New York-based data server. 
Such recipient location information could form part of 
the user profile information stored by the directory 
5 server 120. Thus, the location information under these 
circumstances would also be returned to the local com- 
puter 100 with the public key information, and this infor- 
nration would also be fonA/arded to the document store 
130. 

10 [0057] It is envisaged that the directory server 1 20 will 
hold other user profile information. For example, a recip- 
ient may only ever wish to receive documents from one 
specified printer. In this case, the information returned 
by the directory server 120 would reflect this and the 

15 document store 130 would then only release the 
encrypted document to the specified printer. Other infor- 
mation held by the directory server 120 for particular 
users might include printer information, which deter- 
mines how the document is formatted by the local com- 

20 puter 1 00. for example whether to format the document 
into PostScript or PCL. In general, it is expected that the 
user can access the directory server 120, for example 
via the Internet, and modify his user profile whenever 
- required. 

25 [0058] It will also be appreciated that the components 
and processes described above need not reside on dif- 
fer^ent computers. For example, the local conputer 100 

, . couki. support directory server and document store 
; processes, as well as a secure printer process. 

30 [0059] Furthermore, there is no reason why any or all 
of the processes described herein could not be located 
and called from any of a number of different computer 
systems connected to the distributed environment. Hav- 
ing said this, it is important, although not essential (as 

35 exenplified in the alternative embedment described 
above), that documents that require secure printing do 
not pass across any publicly accessible or low security 
communications channels, without being in an 
encrypted state. 

40 

Claims 

1. A method of printing a document in a distributed 
computer system comprising a client, a print server, 
45 printing apparatus and a network for interconnect- 
ing components of the distributed conputer sys- 
tem, the method comprising the steps of: 

a sender selecting a document to be printed, 
50 identifying an intended recipient for the docu- 

ment and causing the client to transmit to the 
print sen/er the document accompanied by a 
. first identifier for the intended recipient; 
^ . receiving and storing the document and the 
55 associated first identifier on the print server; 

a recipient providing the printing apparatus with 
a second identifier, the printing apparatus 
receiving the second identifier and transmitting 
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to the print server a request, induding the sec- 
ond identifier, to receive documents from the 
print server; 

the print server receiving the request, compar- 
ing the siecond identifier with the stored first 
idientHier and, for matching identifiers, forward- 
ing the document associated with the first iden- 
tifier to the printing apparatus: and 
the printing apparatus receiving and printing 
the document. 

2: A method according to claim 1. wherein the client 
ehciypts the document prior to transmitting it to the 
pj-int server and the printing apparatus decrypts the 
encrypted document prior to printing it. 

3. A method' according to claim 2, wherein the recipi- 
ent provides the printing apparatus with means 

' necessary for decrypting the encrypted document. 

4. 'A method according tb claim 3. wherein the printing 
apparatus interacts with a smart card in order to 
i-etrieve and/or decrypt the document using infor- 
mation and/or functionality programmed into a 

' smart card provided by the recipient. 

' 5. A method according to daim 4, wherein the 'smart 
ciard provided by the recipient stores data including 
said -second identifier and the printing apparatus 
^ extracts the second identifier from the smart Hard. 

6. A method according to claim 4 or claim 5, wherein 
the ' smart card, which is programmed with a 
decryption algorithm and stores a secret, receives 
encrypted information from the pririting apparatus, 
decrypts the encrypted information using the secret 
and returns the decrypted infonnation to the print- 
ing apparatus. 

7. A method according to daim 6, further comprising 
the dient: 

encrypting the document using a first key, the 
first key being the key of a symmetric encryp- 
tion algorithm; 

encrypting the first encryption key using a sec- 
ond k^y, the second key being the public key of 
an asymmetric encryption algorithm; and 
transmitting to the print server the encrypted 
document and the first identifier accompanied 
by the associated encrypted first key 

8. A method according to claim 6. wherein the client 
obtains the second key from a key repository on the 
basis of the identity of the intended recipient. 

9. A method according to daim 7 or claim 8. further 
comprising the printing apparatus: 



receiving the ehaypted first key from the print 
server in response to the request: 
fonwarding the encrypted first key to the smart 
card suc^ that the smart card decrypts the 

5 encrypted first key using the secret and returns 

the first key to the printing apparatus, the seaet 
being the private key of the of the asymnietric 
' encryption algorithm; and ^ 
using the first key to decrypt the encrypted doc- 

10 ument. 

10. Printing apparatus configured for operation accord- 
ing to the -method of any one of th^ prk^eding 

* daims: ' - . 

is ' ' ' - ' ■' 

11. A dient configured for operation accbrding to the 
' method'of any bneof claims 1 to 9. 

■ ' "12. Aprint server configured for operation according to 
io' ' &ie rtiethod of any one 

13. A distributed conputing system configured for 
- ; operation accbrding to the method of any-one of 

claims 1"td 9. ' - ' 

25 ^'^^ ^ [ — 

14. Prihting apparatus arranged for receiving and print- 
'[ 'ihgdocurnents/comprising: - 

an interface for connecting the printer to a print 
30 sen/er; ' • ' \ 

an i'nput/oiitput means for interacting With a 
user and receiving an identity from the user; 
* processing means for generating a request for 

a document, the request including the identity 
35 ■ of the user, transmitting the request to the print 

' ' server and receiving a document from the print 
' - server; and 

mearis for printing the document for the user. 

40 15. Printing apparatus according to claim 14.-further 
' conprising processing means for receiving and 
decrypting an encrypted docurhent received from 
the print server. ^ ^ ^ 

45 16.' Printing apparatus according to daim 15. wherein 
the input/output means is arranged to receive 
removable processing means from the user, the 
remp\^ble processing means providing nneans 
necessary for decrypting the encrypted docurtient. 

so 

' 17. Printing apparatus according to daim 16, wherein 
the input/output means comprises a smart card 
reading device for receiving a sn^rt bard from the ^ 
user. 

55 

18^ Printing apparatus according to daim 17.* wherein 
the smart card reading device is arranged to extract 
the identity of the user from the smart card. 
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19. Printing apparatus according to claim 17 or claim 
18, wherein the smart card reading device is 
arranged to forward encrypted information to the 
smart card and receive back from the smart card 
unencrypted information, the smart card being 
arranged to receive encrypted information, decrypt 
the enaypted information using a seaet stored on 
the smart card and return the decrypted informa- 
tion. 

20. Printing apparatus according to claim 19, further 
comprising: 

means to receive from the print server, in 
response to the request, an encrypted first key; 
me^ns to fbnward the encrypted first key to the 
smart card such that the smart card decrypts 
the encrypted first key using the seaet and 
returns the first key; and 
means to decrypt the encrypted document 
using the first key 

21. Printing apparatus according to any one of claims 
17 to 20, comprising a casing configured to contain 
the components of the printing apparatus including 
an integrated smart card reader, the casing having 
a slot therein for receiving a smart card through the 
casing and into the smart card reader. 

22. Printing apparatus according to any one of claims 
17 to 20, comprising a printer including interface 
means and a smart card reading device connected 
to the printer via the interface means. 

23. Printing apparatus according to ,claim 22, wherein 
the smart card reading device comprises an inter- 
face means for connecting the device to the net- 
work. 

24. Printing apparatus according to claim 23, wherein 
the smart card reading device comprises: 

means to extracting the user identity from the 
smart card; 

means to generate and transmit the request via 
the network to the print server; 
means to receive from the print server an 
encrypted document and an encrypted key; 
means to forward the encrypted key to the 
smart card, such that the smart card decrypts 
and returns the key; 

means to deaypt.the encrypted document 
using the key; and 

means to fonward the document to the printer to 
be printed. 

25. A smart card reading device configured for opera- 
tion with printing apparatus according to any one of 



claims 22 to 24. 
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